Resource Configuration Notes

If SecurID is installed on Windows, the adapter will interface with
the apidemon that is shipped with the installed version of RSA ACE/Server.
Copy the apidemon from the ACE/Server installation directory (by default, c:\ace\utils\toolkit\apidemon.exe) to c:\winnt\system32 or c:\windows\system32 Note that the RSA ACE 6.1 apidemon.exe is in
the ACEInstallDir\prog directory.

The UNIX adapter uses the RSA ACE/Server Administration Toolkit TCL
API. This API must be located in the ACEInstallDir/utils/tcl/bin directory. The value of ACEInstallDir is
specified as a resource parameter. The toolkit must be configured as described
in the Customizing Your RSA ACE/Server Administration publication
provided by RSA.

In addition, ensure that the following conditions are true so that you
can manage RSA Users and other ACE database objects through Identity Manager:

The SecurID user name specified in the Administrator
Login (on the Windows adapter) or the Login
User (on the UNIX adapter) resource parameter exists in the ACE/Server.
If not, create an ACE user with the same default login name.

This SecurID user must login to the ACE/Server with a password
instead of a tokencode. Set the RSA ACE Server user’s password to the
same value specified on the adapter.

If the current RSA ACE Server
system policy does not allow a password to be set using the characters you
need (for example, an alphanumeric PIN), or if you need to change the default
setting for user password expiration, edit the system parameters on the RSA
ACE Server Database console.

A password changed through the RSA ACE Server administrator console
is a one-time password that will expire the first time this user logs in.
Use the RSA ACE Agent Test Authentication facility to login so that you can
change the user’s password to one that will not expire immediately.
Note that you may change it to the same value, so it’s still the same
as the password specified in the resource adapter.

On Windows, an RSA ACE Agent Host must be added for the host
where the Identity Manager gateway is running. This can be configured from
the Database Administration - Host Mode console interface on the system where
the RSA ACE Server is running. You must configure the DNS host name and network
address, and you must specify which users have access. In addition, the agent
type must be set to Net OS Agent.

If a SecurId group name or site name contains a comma, Identity Manager might
not be able to parse the name correctly. Avoid using commas in SecurId group
names and site names.

Identity Manager Installation Notes

If SecurID is installed on Windows, the Identity Manager gateway must
be running on the same system where the RSA ACE/Server is installed.

Usage Notes

This section provides information related to using the SecurID ACE/Server
resource adapter, which is organized into the following sections:

Enabling Pass-Through Authentication on UNIX

Because the RSA C API on UNIX is not supported, enabling pass-through
authentication with the SecurID ACE/Server UNIX adapter is not a straightforward
process. Performing pass-through authentication on this adapter requires the
following interactions between components:

Note the following configuration and implementation points when enabling
pass-through authentication with the SecurID ACE/Server UNIX adapter:

The Sun Identity Manager Gateway and the RSA ACE Agent Host must reside on the
same Windows host. See the Resource Configuration Notes section for more information.

If the UNIX RSA server lists itself as a client, the account
used to authenticate users must be defined on the UNIX resource. See the Resource
Configuration Notes section for more information.

You must specify a value for the ACE
Server Authentication Resource resource parameter in the SecurID
ACE/Server UNIX adapter. This value must match a resource name specified in
a valid SecurID ACE/Server (for Windows) adapter.

SecurID’s authentication policies require that the UNIX
SecurID server must be aware of the RSA ACE Agent for Windows. The sdconf.rec file must be present and configured correctly on the Windows host.

The RSA ACE Agent for Windows must be activated for users
attempting to use pass-through authentication.

Identity Manager must be configured to use the SecurID ACE/Server
or SecurID ACE/Server UNIX login module.

Candidate users for authentication must be configured with
an Identity Manager role and organization.

Enabling Multiple Tokens

The default schema map for both SecurID resource adapters is set-up
to allow the administrator to specify one token. If you are using the SecurID
User Form provided in the InstallDir\samples\forms directory,
perform the following steps to enable up to three tokens.

Rename the following Identity Manager User Attributes on the left
side of SecurID ACE/Server schema map:

Original Identity Manager User Attribute

Renamed Identity Manager User Attribute

tokenClearPin

token1ClearPin

tokenDisabled

token1Disabled

tokenLost

token1Lost

tokenLostPassword

token1LostPassword

tokenLostExpireDate

token1LostExpireDate

tokenLostExpireHour

token1LostExpireHour

tokenLostLifeTime

token1LostLifeTime

tokenPinToNTC

token1PinToNTC

tokenPinToNTCSequence

token1PinToNTCSequence

expirePassword

token1NewPinMode

password

token1Pin

tokenResync

token1Resync

tokenFirstSequence

token1FirstSequence

tokenNextSequence

token1NextSequence

tokenSerialNumber

token1SerialNumber

tokenUnassign

token1Unassign

Add the following fields to the schema map to accommodate a second
token:

Identity Manager User Attribute

Resource User Attribute

token2ClearPin

token2ClearPin

token2Disabled

token2Disabled

token2Lost

token2Lost

token2LostPassword

token2LostPassword

token2LostExpireDate

token2LostExpireDate

token2LostExpireHour

token2LostExpireHour

token2LostLifeTime

token2LostLifeTime

token2NewPinMode

token2NewPinMode

token2PinToNTC

token2PinToNTC

token2PinToNTCSequence

token2PinToNTCSequence

password

token2Pin

token2Resync

token2Resync

token2FirstSequence

token2FirstSequence

token2NextSequence

token2NextSequence

token2SerialNumber

token2SerialNumber

token2Unassign

token2Unassign

Add the following fields to the schema map to accommodate a third
token:

Identity Manager User Attribute

Resource User Attribute

token3ClearPin

token3ClearPin

token3Disabled

token3Disabled

token3Lost

token3Lost

token3LostPassword

token3LostPassword

token3LostExpireDate

token3LostExpireDate

token3LostExpireHour

token3LostExpireHour

token3LostLifeTime

token3LostLifeTime

token3NewPinMode

token3NewPinMode

token3PinToNTC

token3PinToNTC

token3PinToNTCSequence

token3PinToNTCSequence

password

token3Pin

token3Resync

token3Resync

token3FirstSequence

token3FirstSequence

token3NextSequence

token3NextSequence

token3SerialNumber

token3SerialNumber

token3Unassign

token3Unassign

Retrieving Tokens by Status

The SecurId adapters can return a list of tokens that meet a specified
set of characteristics, such as token type, status, or expiration. For example,
the following user form snippet returns a list of all 128-bit tokens that
have not been assigned.

The values that may be assigned to the field, compareType, and value strings are defined in the documentation
for the RSA Sd_ListTokensByField function. Refer to the
RSA publication Customizing Your RSA ACE/Server Administration for
more information.

Password Policies

If Identity Manager uses passwords that contain alphabet characters,
and SecurID does not permit alphabet characters in a PIN, the following message
will be returned:

To correct this error, either modify the Identity Manager password policy
for the resource so that it cannot contain alphabet characters, or change
the PIN restrictions on the resource to permit alphabet characters.

Gateway Timeouts

The SecurID ACE/Server for Windows adapter allows you to use the RA_HANGTIMEOUT resource attribute to specify a timeout value, in seconds. This
attribute controls how long before a request to the gateway times out and
is considered hung.

You must manually add this attribute to the Resource object as follows:

The default value for this attribute is 0, indicating that Identity Manager will
not check for a hung connection.

Security Notes

This section provides information about supported connections and privilege requirements.

Supported Connections

Identity Manager can use the following to communicate with the SecurID
ACE/Server adapter:

Sun Identity Manager Gateway (Windows only)

Telnet (UNIX only)

SSH (UNIX only)

SSHPubKey (UNIX only)

For SSHPubKey connections, the private key must be specified on the
Resource Parameters page. The key must include comment lines such as ---
BEGIN PRIVATE KEY --- and --- END PRIVATE KEY --.
The public key must be placed in the /.ssh/authorized_keys file
on the server.

Required Administrative Privileges

The user specified in the Login User resource parameter (on UNIX) or
in the Administrator Login resource parameter (on Windows) must be assigned
to an administrative role that has the ability to run user- and token-related
tasks.

You can use a test connection to test whether

These commands exist in the administrator user’s path

The administrative user can write to /tmp

The administrative user have rights to run certain commands

A test connection can use different command options than a normal provision
run.

Note –

The Resource SecurID Administrators report lists all available
administrators for the SecurID resource. This report describes the properties
of each administrator, including administrator name, Admin level, Admin task
list, Admin site, and Admin group. You can download this report in both .csv
and .pdf formats.

Provisioning Notes

The following table summarizes the provisioning capabilities of this
adapter.

Feature

Supported?

Enable/disable account

Yes

Rename account

Yes

Pass-through authentication

Yes

Before/after actions

No

Data loading methods

Import from resource

Reconciliation

Account Attributes

The following table provides information about SecurID ACE/Server account attributes. The
data type for all attributes is String, unless otherwise noted.

The SecurID ACE/Server adapters
do not support custom account attributes (known as User Extension Data on
SecurId) that contain multiple values.

Identity Manager User Attribute

Resource User Attribute

Description

adminGroup

adminGroup

The group the administrator is a member of. This is a read-only attribute.

adminLevel

adminLevel

The administrative level of the user. The value can be realm, site,
or group. This is a read-only attribute.

adminSite

adminSite

The sites to which the administrator has access to. This is a read-only
attribute.

adminTaskList

adminTaskList

The name of the set of tasks that the administrator can perform. This
is a read-only attribute.

adminTaskListTasks

adminTaskListTasks

The specific tasks the administrator can perform. This is a read-only
attribute.

allowedToCreatePin

allowedToCreatePin

Read-only Boolean attribute that indicates that a user is allowed to
specify a PIN. If the PIN is not specified, the system will generate one for
the user

clients

clients

Specifies the clients a user is a member of.

accountId

defaultLogin

The account ID for the user in ACE/Server. Maximum 48 characters.

defaultShell

defaultShell

User’s default shell. Maximum 256 characters.

expirePassword

WS_PasswordExpired

Indicates whether the password will be expired. When the password is
expired, the SecurID account will be placed in New PIN Mode. This is a write-only
attribute.

firstname

firstname

Required. The user’s first name. Maximum 24 characters.

groups

groups

Specifies the groups a user is a member of.

lastname

lastname

Required. The user’s last name. Maximum 24 characters.

remoteAlias

remoteAlias

The user’s login name in their remote realm.

remoteRealm

remoteRealm

For remote users, the realm the user is part of.

requiredToCreatePin

requiredToCreatePin

Read-only Boolean attribute that indicates that a user must specify
a PIN.

tempEndDate

tempEndDate

Date when temporary mode ends.

tempEndHour

tempEndHour

Hour when temporary mode ends.

tempStartDate

tempStartDate

Date when temporary mode begins.

tempStartHour

tempStartHour

Hour when temporary mode begins.

tempUser

tempUser

Sets a user in or out of temporary mode.

tokenClearPin

token1ClearPin

When set on a user update, it will cause the user’s PIN to be
cleared.

tokenDisabled

token1Disabled

When set on a user update, it will cause the user’s PIN to be
disabled.

tokenLost

token1Lost

When set to true on a user update, the account will be put in emergency
access mode within RSA.

tokenLostPassword

token1LostPassword

When the value is not blank, then the lost token will use the value
given as the temporary passcode. If the value is blank, then the legacy behavior
of having RSA assign temporary passcodes is performed. This is a write-only
attribute.

tokenLostExpireDate

token1LostExpireDate

Specifies the date when the “lost token” temporary password
expires. This attribute is meaningful only when tokenLostPassword is not blank
and tokenLostLifeTime is either blank or zero. This is a write-only attribute.

This attribute is not implemented in the sample user form.

tokenLostExpireHour

token1LostExpireHour

Specifies the hour when the “lost token” temporary password
expires. (For example, use 16 to represent 4:00 P.M.) This attribute is meaningful
only when tokenLostPassword is not blank and tokenLostLifeTime is either blank
or zero. This is a write-only attribute.

This attribute is not implemented in the sample user form.

tokenLostLifeTime

token1LostLifeTime

Specifies how long to honor, in hours, the temporary passcodes. This
field can be used regardless of the value of takenLostPassword. This is a
write-only attribute.

tokenFirstSequence

token1FirstSequence

Specifies the original token when a token needs to be resynchronized.
This is a write-only attribute.

tokenNewPinMode

token1NewPinMode

When the users account has been placed in New PIN Mode, specifies the
user’s new PIN.

tokenNextSequence

token1NextSequence

Specifies the new token when a token needs to be resynchronized. This
is a write-only attribute.

tokenPin

token1Pin

Encrypted. The user’s PIN.

tokenPinToNTC

token1PinToNTC

If set to true, begins the process of setting a PIN for a specified
assigned token to next tokencode.

tokenPinToNTCSequence

token1PinToNTCSequence

Specifies the user’s current tokencode.

tokenResync

token1Resync

Indicates whether to resynchronize a token. This attribute enables the
tokenFirstSequence and tokenNextSequence attributes. This is a write-only
attribute.

tokenSerialNumber

token1SerialNumber

Token serial number. Must be 12 characters. Insert leading zeros as
needed to meet this requirement.

tokenUnassign

token1Unassign

Specifies a token to remove from a user. This is a write-only attribute.

userType

userType

Must be either Remote or Local.

Resource Object Management

Identity Manager supports the following SecurID ACE/Server objects by
default.

Table 39–1 Supported SecurID ACE/Server Objects

Resource Object

Features Supported

Attributes Managed

group

List, view

Groupname, List of users assigned to this group, List of clients activated
to this group

clients

List, view

Client name, List of users assigned to this client, List of groups activated
to this client

Identity Template

$accountId$

Sample Forms

SecurID User Form

Troubleshooting

Use the Identity Manager debug pages
to set trace options on the following classes:

com.waveset.adapter.SecurIdResourceAdapter

com.waveset.adapter.SecurIdUnixResourceAdapter

com.waveset.adapter.SVIDResourceAdapter

Tracing can also be enabled on the following methods to diagnose problems
connecting to the gateway on Windows systems: